If you want to build a safe house, you don’t just focus on the roof. It is the same logic you apply when you build business applications. Every layer of your system architecture – Application, Presentation, Session, Transport, Network, Data and Physical – should all comply to your organizations’ security protocol. While applying the lessons from the past, you just have to be smarter to imagine newer threats.
Being aware of cyber security practices and constantly tested to be compliant are equally important. Following are some of my experiences that you may find useful in your efforts to be cyber safe.
- Ownership and accountability of doing Software Composition Analysis (SCA) during development: Irrespective of the software development methodology, someone should be responsible to run the check on vulnerabilities. It is even more critical if you use Opensource components. There are SCA tools available that can scan both your source and binaries.
- Static Application Security Testing (SAST) as early as Unit testing of the codebase: Continuous testing is a critical part of your CI/CD mechanism. Code and its respective automated test scripts should be version controlled for effectiveness. Along with the scripts to check the functionality, you should also develop scripts to check the security weaknesses. There are SAST tools that can run on source and binaries.
- Runtime application behavior is not easy to test. Though you have coded all the logic as per the published security protocol, the application may still have runtime vulnerabilities. Session handling, memory leakage, cookies, authentication, request and responses should all be tested dynamically. This Dynamic Application Security testing (DAST) is typically done during systems/regression testing for large-scale scanning.
- Testing for device types: Operating systems of devices vary and so does the binary behavior. It is vital to assess the security vulnerabilities of the application binaries w.r.t the devices. Mobile, tablets, POS, laptops, etc. can introduce vulnerabilities at the runtime.
- Security composition in the platform ecosystem: Your cloud and/or application platform providers’ reputation do not automatically certify the security of your applications. It is essential to align and test the security protocols of your native and cloud applications with your service provider.
- Runtime application self-protection: It is a smart step to setup runtime security monitoring to check the application traffic and user behavior to detect cyber threats and prevent them. In addition to running security testing during the development, integration and acceptance phases of systems development, having a cyber watchman to monitor the production environment runtime, extends the security coverage better.
Enabling a culture of producing secure applications is difficult. Mandating the security requirements, testing and continuously monitoring for weaknesses are steps towards a safer future. Be safe!